Some cookies on this site are essential, and the site won't work as expected without them. These cookies are set when you submit a form, login or interact with the site by doing something that goes beyond clicking on simple links.

We also use some non-essential cookies to anonymously track visitors or enhance your experience of the site.

To control third party cookies, you can also adjust your browser settings.

SERVICES

Press Releases

Browse our press release archive

Virus experts at Sophos have discovered two new mass-mailing email viruses which attempt to spread a message in support of the "Fathers 4 Justice" campaign. The campaign has made headlines in the UK and elsewhere around the world because of high profile media stunts perpetrated by some of its members, such as scaling the walls of Buckingham Palace dressed as the superhero Batman.

The W32/Mirsa-A and W32/Mirsa-B worms arrive as an attached file in an email. The emails sent containing the Mirsa-A variant pretend that the malicious attachment is a resume or curriculum vitae, whereas the Mirsa-B variant uses subject lines such as "How NOT to get Promotion", "Memorandom to all staff", "Urgent Document", "Extremely Important", and "Private and personal".

If the attached file is run, the worm will email itself out to addresses found in the Windows Address Book and copy itself into files on the infected user's hard drive. The worms also attempt to drop a section of text onto the user's hard drive.

W32/Mirsa-B also creates an internet link on the user's desktop to the Fathers 4 Justice website.

"Whoever wrote these viruses is clearly supportive of the Fathers 4 Justice campaign, but rather than dressing up as Batman and clambering up the walls of Buckingham palace to show his support he has turned to computer crime. However, people whose computers are hit by this worm are likely to be less than sympathetic," said Graham Cluley, senior technology consultant for Sophos. "It seems unlikely that the Fathers 4 Justice pressure group would approve of this kind of action, but it seems doubtful that this will be the last time a virus will be used to spread a political message."

Although there have been very few reports of the W32/Mirsa worms, Sophos recommends computer users ensure their anti-virus software is up-to-date, and that companies protect themselves with a consolidated solution which can defend them from the threats of both spam and viruses.

A clue in the code?

Intriguingly, the W32/Mirsa-A contains a possible clue which could potentially lead to the worm's author. Hidden inside the virus, and not normally displayed to the infected user, is a section of text: "sheffield hallam university is corrupt".

Hidden inside the W32/Mirsa-A worm is a message about Sheffield Hallam University

"It's impossible to say for certain - but the virus author may be a current or past student of the university. Or maybe they're a disgruntled member of staff?," said Cluley. "Of course, it may be a complete red herring - but often virus writers have been unable to resist the temptation to put a message which has helped to later identify them inside their virus."

Other viruses which have spread a political message:

W32/Maslan-CLaunched a series of denial-of-service attacks against websites run by Chechen rebel seperatists.

W32/Zafi-CAttacked the website of the newly appointed Hungarian Prime Minister.

W32/Zafi-ADisplays a message calling for Hungarian patriotism, timed to coincide with the country joining the European Union.

W32/Quaters-ALaunches a scathing attack on British Prime Minister Tony Blair and attempts to knock the Downing Street website off the internet.

W32/Colevo-ARedirects the web browsers of infected computers to a variety of pictures of Evo Morales, leader of the Bolivian coca leaf growers' union and runner-up in 2002's presidential elections.

W32/Vote-ACalls for a vote on whether America should go to war against the followers of Islam.

W32/Yaha-QApparently written in response to attacks on Indian websites, this worm not only attempts to launch a denial of service attack against five Pakistani websites, but also contains a number of inflammatory messages directed at Pakistani hackers.

W32/Yaha-ELaunches a denial-of-service attack against a Pakistani government website.

Injustice worm (also known as VBS/Staple-A)Opens a number of pro-Palestinian websites and describes the alleged murder of a 12-year-old Palestinian child at the hands of Israeli soldiers. In addition, the worm spams itself to members of the Israeli government.

W32/Caric-APoses as a cartoon screensaver of former US President Bill Clinton playing the saxophone. An item of female underwear emerges from the bottom of the instrument.

About Sophos

More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing complete security solutions that are simple to deploy, manage, and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, mobile and network security solutions backed by SophosLabs - a global network of threat intelligence centers.

Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.